Most prompt injections on the web are pranks. The SEO ones are already a business.

TL;DR Google scanned Common Crawl for indirect prompt injections and found mostly pranks and SEO nudges, with little sophistication. But malicious detections are up 32% in three months, and the SEO bucket is already a real business play.

Google published their findings on indirect prompt injections in the wild. They ran a broad sweep of Common Crawl covering 2-3B English pages/month.

Key findings:

Six clusters: harmless pranks, helpful guidance (e.g., steering AI summaries), SEO manipulation, AI-agent deterrence, data exfiltration, and destructive commands (e.g., "delete all files").
Sophistication is low. Most are solo experimenters. Attackers have not yet operationalized the advanced exfiltration prompts from research papers.
A new anti-scraping technique: some websites lure agents to a page that streams infinite text to burn their compute and trigger timeouts.
SEO injections are getting more intricate. Some appear auto-generated by SEO suites and inserted into page copy to nudge AI assistants toward a vendor.
Malicious-category detections rose 32% between November 2025 and February 2026 across repeat scans of the archive.

Simple SEO prompt injection in page HTML. Source: Google.

Sophisticated SEO prompt injection, auto-generated by an SEO suite. Source: Google.

My take:

The SEO bucket is the most real one, because it's revenue for businesses. Microsoft caught the same trend earlier this year, which I wrote about.
The 32% jump in the holiday season makes sense, it'd be great to know which categories drove the growth.
Open web analysis is interesting, but the real indirect action will be on social, in email, and inside shared docs. It'd be great if Google shared indirect prompt injections they see in Gmail and Drive.

Sources:

AI threats in the wild: The current state of prompt injections on the web